[ossec-list] OSSEC Agents randomly disconnecting from Manager

Hi, I'm having a strange issue. I have agents that normally report to the manager just fine, but after an undetermined amount of time, this appears in the logs 2019/12/16 01:20:55 rootcheck: INFO: Starting rootcheck scan. 2019/12/16 01:40:58 rootcheck: INFO: Ending rootcheck scan. 2019/12/16

[ossec-list] OSSEC agents spooling

Can somebody give some feedback in relation to the below please ; In the event an OSSEC core server was to go offline for an extended period of time will the agents keep storing syscheck alerts locally until the core comes back online? If the agents do spool alert logs locally the risk is

Re: [ossec-list] OSSEC Agents are not Connecting to Different Network Segments

On Thu, Jul 18, 2019 at 1:39 AM sunitha s wrote: > > Hii All, > > I Have Installed the OSSEC version 3.1 in Ubuntu 16.04 in My Local PC. > I Have Installed OSSEC Agents in the same Network segment, the Agents are > connected and sending logs to OSSEC Server, and also installed agents in >

[ossec-list] OSSEC Agents are not Connecting to Different Network Segments

Hii All, I Have Installed the OSSEC version 3.1 in Ubuntu 16.04 in My Local PC. I Have Installed OSSEC Agents in the same Network segment, the Agents are connected and sending logs to OSSEC Server, and also installed agents in different network segments,all the Configuration are done

Re: [ossec-list] OSSEC Agents Unable to Connect to Server

On Mon, Mar 27, 2017 at 10:50 AM, Marc Baker wrote: > OSSEC agents this morning were working without issue and then began > reporting as Disconnected. Agent logs are returning the following error: > > 2017/03/27 10:14:38 ossec-agent: WARN: Process locked. Waiting for >

[ossec-list] OSSEC Agents Unable to Connect to Server

OSSEC agents this morning were working without issue and then began reporting as Disconnected. Agent logs are returning the following error: 2017/03/27 10:14:38 ossec-agent: WARN: Process locked. Waiting for permission... 2017/03/27 10:14:49 ossec-agent(4101): WARN: Waiting for server reply

Re: [ossec-list] OSSEC agents on different subnet unable to connect OSSEC server

Before doing what I said above, check if your client.keys doesn't have duplicated IPs. On Monday, June 20, 2016 at 9:35:12 AM UTC+2, Jesus Linares wrote: > > Hi Tahir, > > It could be an issue with the keys. OSSEC (agents and manager) keep a > counter of each message sent and received in

Re: [ossec-list] OSSEC agents on different subnet unable to connect OSSEC server

Hi Tahir, It could be an issue with the keys. OSSEC (agents and manager) keep a counter of each message sent and received in /var/ossec/queue/rids. This is a technique to prevent replay attacks. Let's try the following: - In an agent of your particular subnet: stop it and go to

Re: [ossec-list] OSSEC agents on different subnet unable to connect OSSEC server

On Fri, Jun 17, 2016 at 5:27 AM, Tahir Hafiz wrote: > Thanks. I am seeing this in the alerts.log for the ones not connecting, I > mean they seem to be able to connect in network terms but not the OSSEC > server instance process: > ossec-remoted(1408): ERROR: Invalid ID for

Re: [ossec-list] OSSEC agents on different subnet unable to connect OSSEC server

Hi Thair, Your Agents configuration are with static IP, Network or set to ANY? Regards --- Jose Luis Ruiz Wazuh Inc. j...@wazuh.com On June 17, 2016 at 11:27:22 AM, Tahir Hafiz (tahir.ha...@gmail.com) wrote: ERROR: Invalid ID for the source ip -- --- You received this

Re: [ossec-list] OSSEC agents on different subnet unable to connect OSSEC server

Thanks. I am seeing this in the alerts.log for the ones not connecting, I mean they seem to be able to connect in network terms but not the OSSEC server instance process: ossec-remoted(1408): ERROR: Invalid ID for the source ip: 'a.b.c.d'. ossec-remoted(1213): WARN: Message from a.b.c.d not

Re: [ossec-list] OSSEC agents on different subnet unable to connect OSSEC server

It should work with port 1514 UDP. First, check if you have connectivity between agents and manager (ping, telnet, tcpdump...) and review your network settings (routers, firewall rules, etc). Then, check out the ossec.log of each agent to see what it is the issue. On Thursday, June 16, 2016 at

Re: [ossec-list] OSSEC agents on different subnet unable to connect OSSEC server

On Thu, Jun 16, 2016 at 12:27 PM, Tahir Hafiz wrote: > We have an OSSEC server located in one particular subnet and the majority of > the agents are located in the same subnet and work fine. > However, we have a few OSSEC agents located in a different subnet and they > are

[ossec-list] OSSEC agents on different subnet unable to connect OSSEC server

We have an OSSEC server located in one particular subnet and the majority of the agents are located in the same subnet and work fine. However, we have a few OSSEC agents located in a different subnet and they are having problems being able to connect to the server. We have opened up port 1514

Re: [ossec-list] OSSEC agents show as Active even after the OSSEC Process on server is stopped

Jesus is totally right. The time out he is talking about is:* 3*NOTIFY_TIME+30*, *NOTIFY_TIME* by default is 600 seconds. Check the last modification file date on every agent-info/* file and wait until that time be more than 30'30''. Best regards, Pedro S. On Thursday, April 7, 2016 at

Re: [ossec-list] OSSEC agents show as Active even after the OSSEC Process on server is stopped

Hi, in order to know if an agent is connected, disconnected or never connected OSSEC reads the modification date of the files in */var/ossec/queue/agent-info/*:* - if there is no file for the agent the status is *never connected* - if the modification time of the file is less than a

Re: [ossec-list] OSSEC agents show as Active even after the OSSEC Process on server is stopped

Hello Dan, Thanksf for the reply. Yeah its the old data, I ran ./agent_control -lc|grep ID:|wc -l to list the count of agents active and it shows as 3k even though the manager's ossec process is stopped. I am trying to figure out where the cache is stored. I need to remove that data before

Re: [ossec-list] OSSEC agents show as Active even after the OSSEC Process on server is stopped

On Tue, Apr 5, 2016 at 11:01 AM, sandeep ganti wrote: > Hello, > > I do have like 6k servers in my environment connected to one of the OSSEC > Server/manager. Out of the 6k only approx 3k are showing up as active and > the rest they are shown as disconnected. I decided

[ossec-list] OSSEC agents show as Active even after the OSSEC Process on server is stopped

Hello, I do have like 6k servers in my environment connected to one of the OSSEC Server/manager. Out of the 6k only approx 3k are showing up as active and the rest they are shown as disconnected. I decided to kill the OSSEC Process on the Server/manager and perform a restart so that upon the

Re: [ossec-list] OSSEC agents frequently alternating between active and disconnected

Hi Steve, yes, what you said makes sense. Those kind of messages are typically related with network issues, so I think there might be something we are missing. If that is ok with you I'll send you a private message, since I've been a long-term Alienvault employee and maybe I can help. Best On

Re: [ossec-list] OSSEC agents frequently alternating between active and disconnected

Sure. That would be great. As I mentioned, I have a case open with AV already, but I think the tech that's working on my case is in Ireland, so our work hours don't overlap much. Anything you can do to help would be appreciated. If you have access to the support cases, it's case # 00056663.

Re: [ossec-list] OSSEC agents frequently alternating between active and disconnected

I added the agents using the IP address of the OSSEC server, which is statically configured. The server has multiple interfaces, but I used the IP address appropriate for the VLAN my agents were connecting from. I've confirmed the connections come in on the expected interface fro the expected

Re: [ossec-list] OSSEC agents frequently alternating between active and disconnected

Hi Steve, do you use DHCP or fixed IP addresses in your environment? Do your servers have one or more than one IP? When you added the agents, did you used fixed IPs for each one? Is tcpdump output showing the same IP you used when adding those? Best On Mon, May 11, 2015 at 8:54 AM, Steve

[ossec-list] OSSEC agents frequently alternating between active and disconnected

I have OSSEC running as part of an Alienvault installation, with about 20 agents configured. Recently I've observed that most of the agents will show as disconnected. After a few hours all of them except for one or two will show active again. Then within a short period of time, most of them

Re: [ossec-list] OSSEC Agents cache Events if OSSEC Server is down nowadays?

I just investigated this as I've been working on the eventchannel code quite a bit. The eventchannel stuff will both bookmark the last location so the agent can pick up again where it left off. Also, if the manager is down and seen as disconnected by the agent than it will also behave the same

Re: [ossec-list] OSSEC Agents cache Events if OSSEC Server is down nowadays?

Hi, thx for your response. Considering some changelogs that i saw and the tests that i made, ossec still dont buffer the logs/ continue with the last not sent event. Indeed i tested NXLOG as the shipper for windows-events and it works pretty well in the comunity edition but dont have the

Re: [ossec-list] OSSEC Agents cache Events if OSSEC Server is down nowadays?

On Wed, Jun 18, 2014 at 2:19 AM, horst knete baduncl...@hotmail.de wrote: Hi, thx for your response. Considering some changelogs that i saw and the tests that i made, ossec still dont buffer the logs/ continue with the last not sent event. The OSSEC project does accept code contributions.

[ossec-list] OSSEC Agents cache Events if OSSEC Server is down nowadays?

Hey Guys, we are implementing an OSSEC Installation in our Environment due the the great functionality of the System. We got Agents on both Linux and Windows and the Log Shippment is working fine. But as we tested what happen if the OSSEC Server goes down (i. e. for maintenance) the

Re: [ossec-list] OSSEC Agents cache Events if OSSEC Server is down nowadays?

On Tue, Jun 17, 2014 at 4:17 AM, horst knete baduncl...@hotmail.de wrote: Hey Guys, we are implementing an OSSEC Installation in our Environment due the the great functionality of the System. We got Agents on both Linux and Windows and the Log Shippment is working fine. But as we tested

Re: [ossec-list] OSSEC Agents cache Events if OSSEC Server is down nowadays?

On Tue, Jun 17, 2014 at 4:17 AM, horst knete baduncl...@hotmail.de wrote: Hey Guys, we are implementing an OSSEC Installation in our Environment due the the great functionality of the System. We got Agents on both Linux and Windows and the Log Shippment is working fine. But as we tested

Re: [ossec-list] OSSEC Agents cache Events if OSSEC Server is down nowadays?

On 2014-06-17 3:17, horst knete wrote: Hey Guys, we are implementing an OSSEC Installation in our Environment due the the great functionality of the System. We got Agents on both Linux and Windows and the Log Shippment is working fine. But as we tested what happen if the OSSEC Server goes

Re: [ossec-list] OSSEC Agents Spawned from Image?

On Thu, Apr 11, 2013 at 4:09 PM, Sam Oehlert somidsc...@gmail.com wrote: I can't find a ay to accomplish this, but basically the situation breaks down like this: We have a group of machines that are all booted off of one image over the network. We would like to have the agent running on them,

[ossec-list] OSSEC Agents Spawned from Image?

I can't find a ay to accomplish this, but basically the situation breaks down like this: We have a group of machines that are all booted off of one image over the network. We would like to have the agent running on them, but since they don't have persistent storage, that would have to be in

Re: [ossec-list] Ossec agents dont generate alerts for missing files or directories

On Sun, Apr 7, 2013 at 8:44 PM, Erkki Saikkonen eki.saikko...@gmail.com wrote: Hi, New to using Ossec, need help with use and alerts. Why doesnt OSSEC agents generate alerts if you remove directory or file listed in syscheckd Agents never generate alerts, only servers (and local installs)

[ossec-list] Ossec agents dont generate alerts for missing files or directories

Hi, New to using Ossec, need help with use and alerts. Why doesnt OSSEC agents generate alerts if you remove directory or file listed in syscheckd configuration in ossec.conf? Other thing is that OSSEC doesnt report changes of ownership or rights for directories at all. Only for files changes

Re: [ossec-list] Ossec agents are not appearing in Ossec Server

On Mon, Mar 4, 2013 at 2:46 AM, Umair Mustafa umair.ksa2...@gmail.com wrote: I installed Ossec Server and some agents on other servers. But the thing is that out of 10 agents only 7 servers are able to communicate with Ossec Server and 3 are not. This is the Ossec Server information

[ossec-list] Ossec agents are not appearing in Ossec Server

I installed Ossec Server and some agents on other servers. But the thing is that out of 10 agents only 7 servers are able to communicate with Ossec Server and 3 are not. This is the Ossec Server information DIRECTORY=/var/ossec VERSION=v2.5.1 DATE=Thu Jan 13 17:03:30 AST 2011 TYPE=server

Re: [ossec-list] OSSEC agents

On Thu, May 31, 2012 at 1:07 PM, Maahkus mark.v...@gmail.com wrote: Is there a log file that displays what authenticated user or the date and time a new agent was added? I need to track a newly added agent to the user that added - can't seem to figure out how.. Regards, Nope. There may be a

Re: [ossec-list] OSSEC agents

Every time an agent is first connected, OSSEC generates an alert for it: Rule: 501 (level 3) - 'New ossec agent connected.' So you can probably use that to get more information when it was first connected... But there is no easy (standard) way to detect when the client.keys file was modified

[ossec-list] OSSEC agents

Is there a log file that displays what authenticated user or the date and time a new agent was added? I need to track a newly added agent to the user that added - can't seem to figure out how.. Regards,

[ossec-list] OSSEC agents grouping

Hi Dan, I need a help on how to group the OSSEC agents? For Example, I have a OSSEC server already installed and up Now i want to install OSSEC agents on nearly 300 servers I want to group all these agents like the following, Production Application Production Web Production SQL Production

Re: [ossec-list] OSSEC agents grouping

What do you mean by group them? In what? On Tue, Jul 26, 2011 at 10:42 AM, gopal krishnan gopikrishna...@gmail.com wrote: Hi Dan, I need a help on how to group the OSSEC agents? For Example, I have a OSSEC server already installed and up Now i want to install OSSEC agents on nearly 300

[ossec-list] ossec agents

I have a ossec installed as master/agent setup. There are about 30 agents running with one master. I recently changed the ossec.conf to monitor changes in directories to real time directories realtime=yes check_all=yes/etc,/usr/bin,/usr/sbin/ directories directories realtime=yes

Re: [ossec-list] ossec agents

You need to change it in each system's ossec.conf, or utilize the agent.conf. Changing it in the manager's ossec.conf will only affect the manager. On Thu, Feb 10, 2011 at 9:01 AM, Rob robr...@gmail.com wrote: I have a ossec installed as master/agent setup.  There are about 30 agents running

Re: [ossec-list] ossec agents

I believe you have to do on all agent. Also you can do centralized with configure agent.conf file at server. -- Sent from my iPhone On Feb 10, 2011, at 9:01 AM, Rob robr...@gmail.com wrote: I have a ossec installed as master/agent setup. There are about 30 agents running with one master. I

[ossec-list] Ossec agents not communcating with the server

The ossec agents are NOT communicating with the server... 1) IT IS NOT a firewall issue, FIRST I added the 1514/udp rule to the server firewall, THEN I even tried to take down iptables completely in both agents AND the server. 2) I reinstalled the keys (as explained here

[ossec-list] ossec agents

hi list i have a quick architecture questions. i saw, that there are much less informations in the ossec.conf from the agent as in the server. Does the agent takes the ossec.conf from the server to do all tests? What have i to do, when some agents need to check some logfiles which aren't

[ossec-list] OSSEC Agents on DHCP hosts

I have a few hosts that use DHCP. The problem is if I add an agent with a particular IP it's only good till the machine get's a new address. I would prefer not to extend the lease or add the MAC addresses into DHCP as some of the machines will move to different DHCP zones when traveling. Would